A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.

Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user's private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users' data such as name, gender and date of birth.

Furthermore, the researchers found a way to publish content on the visiting users' Facebook walls (under the guise of legitimate websites) - a potential way to spread malware and phishing attacks.

Here's a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there's no sound on the video.)

When I first experimented last week on a test site created for me by Zhou and Rui I couldn't precisely mimic what you see in the video. The demo website wasn't able to extract the name of my test Facebook account, and it displayed a "failed" dialog box when it tried to post to my Facebook wall.

Now it's possible that it didn't work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an "evil" link seemingly via the app.

Ouch!

The good news is that the students practiced responsible disclosure, and informed Facebook's security team about the flaw rather than releasing details of how to exploit users' profiles to all and sundry.

Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.

Clearly Facebook's website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there's so much sensitive personal info about users being held by the site - potentially putting many people at risk.

If I understand correctly, it's not possible to extract anything anymore as Facebook fixed it shortly after being notified.
Also, if this had been exploited in the wild, I think it would have been fairly high profile given that potentially an attacker could have theoretically posted on your behalf and had it attributed to an app you already authorised and trusted.

Correct, the exploit did not become public knowledge. The researchers shared it with a security journalist at The Register and myself (perhaps others in the same industry too, I don't know) to confirm their findings.

It's great that they acted responsibly and worked with Facebook's security team to get the problem fixed rather than reveal the details for all the world to exploit.

i have sacked facebook today due to a site called ''the daily gossip'' it has just over a thousand people all joined, it all began when a conversation between me and my daughter in august was flashed up before my very eyes and was a personel conversation. I was absolutly amazed to see some group i had joined 72 hours previously simply going back to august and showing me this long conversation.
I was happily finding all my cousins as i moved away from the area i lived in many years ago, but to be honest i am never touching any social network site again as my private conversations were flashed all over the page to abuse me and be a clever fella in his book. Since facebook has grown it seems to me that not everything has been thought out properly and therefore is just a sham-site and a complete joke to the average computer user. -10 out of -10

well i cant get back on sodding faceache,,,somethings weird, im getting messages to change password on all my mail accounts,,,hmmmm, i dunno,i dont care,ive decided to put my laptop in the microwave,..problem solved

i wish facebook would be more protective of people rights vs the way most is ran to intrusive. need much more information on ways to protect people who use for good reason not to cause harm to computers or others.

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley